CS155: Homework #1

Spring 2016

Due: Thursday, Apr. 21

Problem 1: Control hijacking

A proposal for preventing stack buffer overflow attacks is based on
making a backup copy of the return address when a function starts.
The backup copy is written to a shadow stack located at
some random location L on the heap.
In the function epilog, just before the
function is about to return, the backup copy of the return address is
compared to the return address on the stack and if they differ the program
exits. Otherwise, the return instruction is executed normally.

(a) Explain why this mechanism can make it harder to mount a stack
buffer overflow attack.

(b) Give sample C code that is vulnerable to a stack buffer overflow
attack even if this mechanism is used. For example, consider the case
of function pointers stored on the stack.

Problem 2: Return oriented programming

Suppose an attacker finds the following code fragments in the libc
library once it is loaded in memory:

Moreover, the attacker discovers a stack buffer overflow in some
vulnerable application where a string buffer can overflow. Explain
how in an environment where the stack is marked non-execute the
attacker can nevertheless cause the vulnerable application to write
the value 0x30000000 to memory address 0x48000000 and then jump to
address 0x40088888. Your answer need only show the contents of the
stack in the table below right after the buffer overflow takes place.

Problem 3: Memory management

The iOS _MALLOC(size_t size, int type, int flags) function
allocates size bytes on the heap. Internally blocks are
represented as a length field followed by a data field:

struct _mhead {
size_t mlen;
char dat[0]; }

The mlen field is used by the free()
function to determine how much space needs to be freed.
In iOS 4.x the _MALLOC function was implemented as follows:

Why were these lines added in iOS5.x? Briefly describe an attack
that may be possible without these lines.

Problem 4: Soundness and completeness for static code analysis

In lecture 4, we discussed these two terms briefly:

Soundness:
If the program contain an error (of the kind the analysis tool is intended to detect), the analysis tool will report an error.

Completeness: If the program does not contain an error, the analysis tool will not report any errors.

A false alarm occurs when a tool reports an error, but the program the tool is analyzing does not contain an error.
Can a tool that reports a false alarm be sound? Complete?

Suppose a company sets up an Android app marketplace for its employees. The company is going to use an analysis
tool to check apps for security vulnerabilities before it promotes them to its employees. Which tool property is critical to the company
for this purpose: soundness or completeness?

Dead code does not affect the security of a system because, by
definition, dead coded is not executed. What property of the loop in the following program determines whether the "do something insecure" part of the program is dead code?

Now suppose for the purpose of this homework question that a tool T is both sound and complete.
When T is used to analyze code of the form above that
may contain a vulnerability, what property of the loop determines whether the tool will report an error? Explain.

Problem 5: Taint analysis and security vulnerabilities

The following diagram outlines the states used to track whether a variable v is tainted or clean.

The diagram omits some intermediate states.
More specifically, suppose that source code is analyzed using
an algorithm as described in Lecture 4.
This algorithm gives each variable an abstract value from a finite set.
Two of the abstract values are shown in the diagram: tainted and
clean. Two additional values that are implied but not shown are
lower_check and upper_check.
If a variable has value tainted at some point in the analysis of a program, and a check is made to guarantee that the variable is less than some other value (an upper bound), then the analysis will give the variable value
upper_check afterwards.

Assume d.idx has abstract value tainted at the beginning of the following code.
What value will it have when the second line of code is reached? Explain.
(Hint: It will be either lower_check or upper_check.)

In qmail, most modules run under separate user ids. Similarly,
each Android application runs in a separate process using a separate user id.
From a security standpoint, what is the advantage of assigning separate uids
instead of using the same uid for all? Explain.

The Android zygote process that creates new processes runs as root.
After forking to create a new process, setuid is normally called.
Explain what uid the new process has initially and why it is important to call setuid? What security purpose does this serve?

When a Unix user wishes to change her password, she uses the passwd program.
The Unix password file is usually public readable but (for obvious reasons)
can only be written by processes with root privileges.

How should the setuid bit be set on this passwd program?
Explain how this lets a user change her password.

Why does this make it important to write the passwd program source code carefully?